Why Set up an Offline Savings Wallet?

Modern operating systems are highly complexity, leading to a large attack surface. They also constantly leak information without the user’s knowledge or consent.

No matter how many precautions you take, it is very hard to ensure your wallets is reasonably secure on an Internet connected computer.

Because Bitcoins can be stored directly on your computer and because they are real money, the motivation for sophisticated and targeted attacks against your system is very high. Previously, only large organizations had to worry about advanced attacks.

Overview of existing solutions

The bitcoin ecosystem is still relatively young and unfortunately not many user friendly and highly secure wallets have been developed yet.

Today these are the two best ways to secure your bitcoins against theft:

Used correctly, an air-gapped wallet is safe from all online threats, such as viruses and hackers. It is however still exposed to offline threats, such as hardware keyloggers, extortion, or people looking over your shoulder.

To spend funds from cold storage securely, an unsigned transaction is generated on an Internet connected computer. An unsigned transaction is akin to to an unsigned check. The unsigned transaction is then transfered to the air-gapped computer to be verified & signed with the wallet keys.

Using a cold storage wallet on an air-gapped computer may seem tedious, but remember that security almost always comes at the cost of convenience.

Security warning

When you deposit money at a bank, you let them worry about security. Bitcoins, however, are stored on your computer and that means you are fully responsible for securing them.

Unfortunately, most people are not security experts, which means it's very hard for them to fully understand the risks. They usually don't. This increases the risk of making a fatal mistake that will result in Bitcoin theft.

For example, paper wallets are typically generated by potentially compromised PCs connected to the Internet, then printed for offline storage. This is not enough as malware running on the computer may steal your private keys and then later steal any Bitcoin you send to that address. Many Internet connected printers also save printed documents to memory.

Setting up an offline wallet from scratch

There used to be no other way to setup an offline wallet than to do it from scratch. Today there are solutions such as BitKey that can help simplify the process.

If you're still interested in doing things the hard way, the rest of this guide will instruct you on how to create an offline wallet by hand.

How to Deposit Funds

Sign up for a few different cloud drive accounts such as Dropbox or Google drive.

Create a strong and unique passphrase offline (manually). This passphrase should be TRUELY random. Diceware is a good way of generating the passphrase. It should be at least 12 words long.

Never use this passphrase elsewhere, especially not on the web.

Do not forget this passphrase. Recite it several times a day. It is easy to overestimate your ability to remember a passphrase several months in the future. To be on the safe side, write it down and store the piece of paper in a safe deposit box.

Verify the software's release signatures from an alternative device and internet connection (eg. your smartphone). This makes sure you are not using a malicious program that poses as the bona fide bitcoin-core client.

Shut down your computer, and boot Ubuntu (or Linux distribution of you choice) from a liveCD. This will not affect your current operating system.

Disconnect machine from the internet. Unplug any network cables and disable wireless. Verify that wireless is disabled in the icon on the upper right corner (Ubuntu). Double check that machine is disconnected by opening the web browser.

Run bitcoin while disconnected to the internet. The client will show 0 connections and 0 blocks, but it will still generate a wallet.dat file and a bitcoin address.

Notes

This procedure is only secure if you perform steps 1-15 in this exact order.

Perform one or two trial runs of the above procedure with a few bitcents, and make sure that you know how to successfully retrieve them, before making a bulk transfer.

Every time you retrieve bitcoins from your savings wallet, create a fresh savings wallet by repeating the above procedure, and send all your remaining savings balance there.

There is more than one way to do it. Similar procedures have been suggested on the forums here and here.

Beware that even savings wallets have limited lifetimes. New, backwards incompatible versions of bitcoin might come out in future, AES might be broken, bit rot might destroy your wallets, etc. Pay attention to updates in the Bitcoin world and update to fresh savings wallets every couple of years, or as needed.